Closed code423n4 closed 2 years ago
The harvestNextStrategy isn't able to be called by non-whitelisted addresses
harvestNextStrategy
can be called by anyone
However it calls harvest
which uses the modifier onlyHarvester
, invalidating the finding
Handle
tensors
Vulnerability details
Impact
The amounts _estimatedWETH and _estimatedYAXIS are lower bounds that the protocol expects to recieve. An attacker can call havervestNextStrategy(vault, 1, 1) after manipulating the pools called in _harvest and _swap.
The protocol sees nothing wrong with only receiving a small amount of tokens and does the transactions. The attacker then manipulates the pools back, pocketing the difference.
Proof of Concept
https://github.com/code-423n4/2021-09-yaxis/blob/cf7d9448e70b5c1163a1773adb4709d9d6ad6c99/contracts/v3/Harvester.sol#L213
Recommended Mitigation Steps
Do not let anybody call this function. Furthermore, make sure the _estimated amounts when the controller or manager calls this function is reasonable, as was mentioned in a different issue.